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Abstract 

The language Timed Concurrent Constraint (tccp) is the extension over time of the Con- 
current Constraint Programming (cc) paradigm that allows us to specify concurrent sys- 
tems where timing is critical, for example reactive systems. Systems which may have an 
infinite number of states can be specified in tccp. Model checking is a technique which is 
able to verify finite-state systems with a huge number of states in an automatic way. In 
the last years several studies have investigated how to extend model checking techniques 
to systems with an infinite number of states. In this paper we propose an approach which 
exploits the computation model of tccp. Constraint based computations allow us to de- 
fine a methodology for applying a model checking algorithm to (a class of) infinite-state 
systems. We extend the classical algorithm of model checking for LTL to a specific logic 
defined for the verification of tccp and to the tccp Structure which we define in this work 
for modeling the program behavior. We define a restriction on the time in order to get a 
finite model and then we develop some illustrative examples. To the best of our knowledge 
this is the first approach that defines a model checking methodology for tccp. 

KEYWORDS: Automatic verification, reactive systems, timed concurrent constraint pro- 
gramming, model checking 



1 Introduction 

Model checking is a technique for formal verification that was defined for finite-state 
systems. It was first introduced in IjClarke and Emerson 198Tj) and ( |Quielle and Sifakis 1982| ) 
for verifying automatically if a system satisfies a given property. Concurrent sys- 
tems can be very complicated, and the process of modeling and verifying them by 
hand can be hard. Thus, the development of formal and fully automatic methods 

* This work has been partially supported by the EU (FEDER) and the Spanish MEC, under 
grant TIN 2004-7943-C04-02, by ICT for EU-India Cross Cultural Dissemination Project under 
grant ALA/95/23/2003/077-054, and by the Italian project Cofin'04 AID A. 
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such as model checking is essential. Basically, this technique consists in an exhaus- 
tive analysis of the state-space of the system. This exhaustive analysis implies that, 
in principle, we can apply it only to finite-state systems limiting a lot its appli- 
cability. Furthermore, the state-explosion problem is the main drawback even for 
finite-state systems and for this reason many approaches in the literature try to 
mitigate it. Two of the main solutions for the state-explosion problem that have 
been presented in the last years are the symbolic approach (McMillan 1993|) and 
the algorithms for abstract model checking ( Da ms 1996(1 . The idea which is shared 
by these approaches is to reduce the number of states of the system. 

The different approaches to the model checking problem for infinite state sys- 
tems can be classified in two categories. The first one corresponds to those ap- 
proaches that construct an abstract finite model of the system which can be auto- 
matically verified (see l|Clarke et al. 19941 ILoiseaux et al. 1995|l 1. The second cat- 
egory contains those approaches based on the symbolic reachability analysis where 
a finite representation of the set of reachable configurations of the system is cal- 
culated (see l|Alur et al. 19951 ICousot and Halbwachs 19781 |Bouajjani et al. 1997| 
|Boigelot and Godefroid 19"96| )). The methodologies that make use of regular lan- 
guages and regular relations are considered in the so called regular model check- 
ing approach l|Pnueli and Shahar 20001 iKesten et al. 19971 |Bouajjani et al. 2 000). 
Moreover, in l|Abdulla et al. 1999|) the notion of abstraction and the notion of sym- 
bolic reachability are combined in order to define a method to verify infinite-state 
systems. Our approach is novel and makes use of a notion of abstraction based on 
constraints and a time interval. The notion of constraints is used to collapse the 
number of states. 

In IjManna and Pnueli 1995(1 reactive systems are defined as those systems that 
keep exchanging information with their environment at run time. Reactive systems 
are typically defined as a set of processes working in parallel, hence the family of 
reactive systems is strictly related to the notion of concurrency. In some cases it is 
not expected that the system terminates but it may continue its execution indefi- 
nitely. Examples of such systems are operating systems, communication protocols 
or some kind of embedded systems. Thus it is quite useful to have a specification 
language that supports concurrency which makes easier for the user to describe 
systems. Usually, in model checking, by exploiting concurrency we model the whole 
system, including the environment. For example, users are represented as a concur- 
rent process which models the possible actions that users can perform to interact 
with the system. 

The language Temporal Concurrent Constraint Programming (tccp) extends the 
Concurrent Constraint Programming (cc) paradigm defined in ifSaraswat 1989(1 
with a notion of time. This extension is suitable for modeling reactive systems. 
Actually, in the literature you can find two similar languages which extend cc with 
some notion of time: the tec language first presented in ( Saras wat et al. 1994(1 and 
the ntcc language defined in l(Nielsen et al. 2 002 ). tccp is a declarative language 
defined in l(Boer et al. 2000(l that handles constraints which is a key characteristic 
for the results which we achieve in the present work. Our idea is to take advantage 
of the natural properties of the language in order to define a model-checking algo- 
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rithm that allows us to verify reactive systems specified in tccp. Note that when 
we speak of reactive systems we are not limiting ourselves to finite-state systems. 
The tccp language allows us to model infinite-state systems, hence we tackle the 
problem of model checking for infinite-state systems. We show how the constraint 
nature of the language and the fact that it has a built-in notion of time can be 
exploited usefully. 

Some related works can be found in the literature where constraints are used for 
solving similar problems. In (Del zanno and Podelski 19 99 Dclz aimo and Podelski 200 l|l 
the authors present a method that allows them to verify a communication protocol 
with an infinite number of states in the sense that they prove that a client-server 
protocol is correct for an arbitrary number of processes (clients) . This could not be 
proved by using classical approaches to model checking, however it become possible 
thanks to the use of the notion of constraint. 

The mo del- checking technique can be divided into three main phases; specifica- 
tion, modeling and verification. In this work, we use the notion of constraint in the 
three phases of the model-checking technique. First, we introduce the notion of con- 
straint in the constructed model of the system. We note that constraints are able 
to represent in a compact manner a set of possible values that the system variables 
can take (i.e., a possibly infinite set of states if we use the classical notion of state). 
In the second phase we use a logic able to handle constraints for specifying the 
property to be verified. Such logic was presented in IjBoer et al. 2001(1 and revisited 
in HEoer et al. 2002(1 . The last phase of the model-checking technique consists in 
defining an algorithm that determines whether the system satisfies the property by 
using the two outputs of the previous phases. In this work we extend the classical 
algorithm defined for LTL to the constrained approach. Note that we can take as a 
reference the classical algorithm because we use a logic able to handle constraints, 
and this makes possible to combine it with the tccp Structure defined in this pa- 
per to model the system. Since this structure contains constraints, it would not 
be possible to use a classical temporal logic directly. To the best of our knowledge 
this is the first time that a model-checking algorithm for systems specified with the 
tccp language is defined. Some of the results in this work have been included in 
Villanueva's doctoral thesis IjVillanueva 2003)) . 

In l(Falaschi et al. 2000a Falas chTet al. 2000b(l we presented a framework that al- 
lowed us to build a graph structure as a first step for applying the model-checking 
technique to tec programs, tec is a language similar to tccp for programming embed- 
ded systems. The main differences between tec and the language that we consider 
here is in the deterministic nature of the tec language versus the non-determinism, 
and the monotonicity of the store in tccp. Monotonicity means that the store of 
the system always increases, tec is not monotonic since the store is reset when 
passing from one time instant to the following one. These differences make the 
graph structures defined in l(Falaschi et al. 2000al IFalaschi et al. 2000b(l and in this 
work completely different. We will show these differences in detail in the follow- 
ing sections. Moreover, only the modeling process of the method was presented in 
l(Falaschi et al. 2000al IFalaschi et al. 2000b|l , whereas in this paper we provide the 
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logic used for the specification of the property and the model-checking algorithm 
as well. 

This paper is organized as follows. In Section[5]we introduce some basic theoretic 
notions. In Section [3] we present the basic notions of the tccp language. Then, in 
Section 0] we describe the method to construct an adequate model of the system, 
which is shown to model correctly the language operational semantics. In Section[5] 
we present the logic for specifying the properties of our system. In Section [S] we 
define the algorithm that applies the model-checking technique to this model and 
show its correctness. Section discusses some related work. Finally, in Section |H1 
final remarks and future work are discussed. 

2 Preliminaries 

In this section we present some definitions necessary to follow the technical details 
of this work. For a quick reading it is possible to skip to Section [3J 

A Constraint System is a system of partial information. We follow the definition 
of Saraswat et al: 

Definition 1 {Simple constraint system t'Sarasw at et al. 19 91 )) 

Let D be a non-empty set of tokens or primitive constraints. A simple constraint 

system is a structure ( C, h) where hC pf ( C) x C is an entailment relation satisfying: 

CI u\- P whenever P £ u, 

C2 u h Q whenever u h P for all P € v and v h Q. 

Moreover, an element of p/(C) is called a finite constraint and h is extended to 
pf(C) x pf(C) in the obvious way. Finally, u ps v iff u h v and uhii. We also say 
that u > v when ohu. 

Definition 2 (Cylindric constraint system fSaraswat et al. 1991)) ) 
We define a cylindric constraint system as a structure (C, h, V, {3% \ x 6 V}) such 
that (C,h) is a simple constraint system, V is an infinite set of variables and, for 
each x G V, 3 X : p/(C) — ► p/(C) is an operation satisfying: 

El u h 3 x u, 

E2 u\- v implies 3 x u h EUu, 
E3 3 x (u U a^v) rs 3 K u U 3 x v, 
E4 ps 3 y 3 x u. 

3 X is called the existential quantifier or cylindrification operator. 

A set of diagonal elements for a cylindric constraint system is a family {5 xy G 
C \ x,y EV} such that 

Dl h 5^, 

D2 if y ^ x, z then {S xz } ps 3^(5^, 

D3 lix^y then {5 XS ,} U 3 x (u U {6 xy }) h u. 

We define an element c of a cylindric constraint system (C, h) as a subset of C 
closed by entailment, i.e., such that u Cf c and ah P implies P € c. 
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3 Timed Concurrent Constraint Language 

The tccp language was developed in IjBoer et al. 2 000). It was designed as a com- 
putational model which allows one to model reactive and real-time systems. Thus, 
it is possible to specify and to verify distributed, concurrent systems where the no- 
tion of time is a crucial question, tccp is based on the cc paradigm ^Saraswa t 19891 
ISaraswat and Rinard 19901 ISaraswat et al. 1991|) that was presented as a general 
concurrent computational model. 

The computational model of cc is defined by means of a global store and a set of 
defined agents that can add (tell) information into the store or check (ask) whether 
a constraint is entailed by the store. Computations evolve as an accumulation of 
information into a global store. In tccp the agents defined for cc are inherited. The 
model is enriched with a new agent and a discrete global clock. It is assumed that ask 
and tell actions take one time-unit and the parallel operator is interpreted in terms 
of maximal parallelism. Computation evolves in steps of one time- unit. It is assumed 
that the response time of the constraint solver is constant, independently of the size 
of the store. In practice some restrictions (mentioned below) are taken in order to 
ensure that these hypothesis are reasonable (the reader can see l|Boer et al. 2000 ) 
for details). 

To model reactive systems it is necessary to have the ability to describe notions 
as timeout or preemption. The timeout behavior can be defined as the ability to 
wait for a specific signal and, if a limit of time is reached and such signal is not 
present, then an exception program is executed. The notion of preemption is the 
ability to abort a process when a specific signal is detected. In tccp these behaviors 
can be modeled by using the new conditional agent (not present in cc) 

now c then A else B 

which tests if in the current time instant, the store entails the constraint c and if it 
occurs, then in the same time instant it executes the agent A; otherwise, it executes 
B (in the same time instant). A limit for the number of nested conditional agents 
is imposed in order to ensure the bounded time response of the constraint solver 
within a time instant. 

3. 1 Syntax 

The tccp language is parametric to an underlying cylindric constraint system as 
defined in Section Since now we assume that C = (C,KV, 3) is the underlying 
constraint system for tccp. Given C, in Figure Q we show the syntax of the agents 
of the language. We assume that c and Ci are finite constraints (i.e. elements) in C. 

The Parallel and Hiding agents are inherited from the cc model and behave in the 
same way. Thus, the Parallel agent represents concurrency, whereas the Hiding op- 
erator makes a variable local to some process. Also the Tell, Choice and Procedure 
Call agents were present in the cc model, but in tccp they have a different semantics 
since in the timed model, these three agents cause extension over time. The Tell 
agent adds the information c to the store, but this information is available to other 
agents only in the following time instant. Therefore, we can say that the tell action 
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(Agents) 


A 


::= tell(c) 


- Tell 






stop 


- Stop 






Er=i ask ( c -> A > 


- Choice 






now cthen A else A 


- Conditional 






A || A 


- Parallel 






3x A 


- Hiding 






p(x) 


- Procedure Call 


(Declarations) 


D 


:■- D.D 








p(x):-A 




(Program) 


P 


::= D. A 




tccp syntax (following 


;F. 


de Boer et ai.) 





takes one unit of time. The same thing occurs with the Choice and Procedure Call 
agents. Thus, when we execute the YH=i as H c i) ~~ > ^» agent, the execution of Ai 
starts in the next time instant. Note that the Choice agent models the nondeter- 
ministic behavior of the language, thus nondeterminism is always associated to a 
time delay. 

Finally, the Conditional agent (now c then A else B) is the new agent introduced in 
the model in order to capture negative information. It behaves within a time unit in 
the sense that the condition is checked in the same instant of time as the execution 
of the corresponding agent is started. In particular, if the guard is satisfied, then 
A will be executed, otherwise the agent B will be executed (we note that B is 
executed also in the case when the store entails neither c nor -ic). If we have two 
nested conditional agents, then the guards are recursively checked within the same 
time instant. This is the reason why tccp needs a restriction about the maximum 
number of nested conditional agents. 



3.2 tccp Operational Semantics 

In Figure[2jit is shown the operational semantics for tccp as described in IjBoer et al. 2 000). 
Each transition step takes one unit of time. In a configuration (Conf) there are 
two components: a set of agents and a finite constraint representing the store. The 
transition relation — >C Conf x Conf is the least relation that satisfies the rules 
in Figure |21 We can say that the transition relation characterizes the (temporal) 
evolution of the system. 

Since tccp interprets concurrency in terms of maximal parallelism, we assume 
that there are as many processors as needed to execute a program. This behavior is 
described by means of rules R7, R8 and R9 where the reader can see that whenever 
it is possible, two agents are executed concurrently. 

Rules R3, R4, R5 and R6 describe the operational semantics for the conditional 
agent. Note that the different possible behaviors depend on the store and on the 
initial configuration. Rule RIO shows the semantics for the Hiding operator. Intu- 
itively, the rule says that, if there exists a transition (A, dU3 x c) — ► (B, d'), then 
d' is the local information produced by A; moreover, this local information d' must 
be hidden from the main process. 
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Rl (tell(c),d) — > (stop, cud) 
R2 (J2[l ia sk( Cl )^ A t ,d) — » (Aj,d) 
(A,d) — >(A',d') 



R3 



R4 



R5 



R6 



R7 



(now c then A else B,d) — 




{A,d)-H 




(now c then A else 5,<i) — 


<A,d) 


(BJ) — >(B',d') 




(now c then A else — 


■+{B',d') 


{B,d)-H 




(now cthen ylelseiJjd) — 


-(B,d) 


(A,c)^(A>,c') (B,c)- 


->(B',d') 



(A\\B,c) — >{A'\\B',c'Ud') 



R8 



R9 



RIO 



(A,c)^(A>,c>) (B,c) 
(A\\B,c)—>(A'\\B,c>) 

(A,c)^(A\c>) (B.c)^ 
(B\\A,c)—>(B\\A>,c') 

{A,dU3 x c)^(B,d') 
(3 d xA,c) — >(3 d 'xB,cU3 x d') 

Rll (p(x), c) — > (A, c) 



j G [1, n] and d h Cj 



dh c 



(Jhc 
d\/c 
d\f c 



p(x) : -Ae D 



Fig. 2. Operational semantics for tccp language extracted from F. de Boer et ai. 



The observable behavior of the language is defined from the transition system 
described in Figure Inland considers the input/output of finite and infinite compu- 
tations: 

Definition 3 [Observable) 

Let A be an agent from the tccp language, the operational behavior is given by the 
set of resulting stores computed by A for each given input store, considering finite 
and infinite computations. 



<D(A) = {d\(A,c) 



. . . {B, a) — ► . . . , where d = {c, ci, • • •, a, ■ ■ ■}} 
3.3 Practical Example 



We can find in the literature a variety of examples of systems that can be modeled 
using the tccp language. Here we develop a typical system: a microwave oven. In 
Figure 01 the reader can see the behavior of a microwave. We can note that, for 
example, if we are in a state where the door of the microwave is closed, the system 
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is turned-off and no error is detected. If, from that state, we open the door, then 
we move to the state on the top of the figure. 



turn-off 




close 



Fig. 3. Example: the microwave system. 

The whole system example is inspired in the system for a microwave control 
shown in the classical literature IjClarke et al. 1999jl . However, we have considered 
only a subpart of the system in order to easily use this example as a reference in 
this work. In Figure 01 we show the tccp program which models a reduced part of 
the microwave system. In particular, it models the part of the system which detects 
if the door is open when the microwave is turned-on. 



microwave_error(Door, Button, Error) :- 

3D,B,E( tell(Error= [_\E]) || (tell (Door = [_\D]) || (tell (Button = [.\B]) || 
(now (Door = [open | D] A Button = [on | B]) then 
(3 SI (tell (E = [yes | £71]))|| 
3£l(tell(5 = [off | Bl]))) 

else 

3£l(tell(E= [no j El]))\\ 
microwave_error(D, B, £)))))■ 

Fig. 4. Example of a tccp program: a simple error controller 

Looking into the program code, we can observe that a Conditional agent checks if 
the door is open when the microwave is turned-on. In that case, it forces (with the 
Tell agent) that in the following time instant, the microwave is turned-off and an 
error signal is emitted. If it is not true that the door is open and the microwave is 
working on, then the program simply emits (via the Tell agent) a signal of no error 
that will be available in the global store in the following time instant. Therefore, 
this example corresponds to the part of the system which avoids wrong behaviors 
such as those in Figure which are represented by the two states on the right. 

This simple example allows us to illustrate the fact that tccp is not able to model 
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strong preemption, i.e., it is not possible to turn-off the start button in the same 
instant when the error is detected. Actually, it is possible to start the execution 
of the agent that turns the button off, but the fact that it has been turned off is 
visible only in the following time instant. 

4 tccp Model Checking 

The cc paradigm has some interesting features which allow us to define a model- 
checking algorithm for reactive systems. We define a model-checking algorithm 
which uses a time interval (provided by the user) in order to restrict the state- 
space of the system in the cases when the algorithm does not terminates. The 
fact that the time is in the semantics makes reasonable the use of such restriction 
since the user knows how much time is needed to have a response from the system. 
The reader could think that the restriction to an interval of time could make the 
algorithm incomplete in too many cases. In the following sections we show that 
the time interval is not always used. Obviously, the user must provide a reasonable 
time interval. Moreover, if the limit is reached and the verification is terminated, 
then we obtain an over-approximation of the system thus some properties can still 
be checked. The idea to limit the verification to a time limit is not new. It has been 
used in different approaches, for example in IjAlur et al. 1 997). 

Let us now develop a model-checking technique to tccp programs. The key ideas 
are that we use the notion of constraint which is underlying the language in order to 
have a compact model of the system first, and second, to handle the model directly 
to verify properties. 

In the following we describe in detail the three main phases which implement the 
model-checking algorithm. We also illustrate each phase with the application of the 
method to the microwave example. 

4-1 Model Construction 

The first task of the method corresponds to the construction of the model of the 
system. In classical approaches, Kripke Structures 1 are used to model the system 
behavior; in our approach we define a similar structure called tccp Structure whose 
states are essentially a conjunction of constraints of the underlying constraint sys- 
tem. The idea is to automatize the construction of the model of the system from 
the specification. In other words, we take a program written in tccp, and a model 
of the system behavior is constructed in an automatic way. 

4-. 1.1 Program Labeling 

First of all, we need a labeled version of the specification in order to construct the 

model of the system automatically. We adapt the idea introduced in l|Manna and Pnueli 1995JI 



1 Kr ipke Structures wer e denned in ^Hughes and Ureswell 1968} . The definition can also be seen 
in ( Clarke ct al. 1999 I for example. 



10 



M. Falaschi and A. Villanueva 



to our framework: a different label is assigned to each occurrence of an agent. Labels 
allow us to identify during the model construction in which point of the execution of 
the program we are. The presence or absence of a label determines if the associated 
agent can be executed or not during the computation. The labeling process consists 
on the introduction of a different label for each occurrence of a language construct: 

Definition 4 

Let P be a specification, the labeled version Pi of P is defined as follows. The 
subindcx k G N corresponds to the number of labels introduced up to a given 
point. When the labeling process starts, k = and each time that we introduce a 
new fresh label, k is incremented by one. 

• If P = stop then Pi = 4top t stop. 

• If P = tell(c) then Pi = 4 e n fc tell (c). 

• If P = Y%=i ask(ci) -> Ai then P t = Z askt £)? =1 ask ( c i) ~* A i- 

• If P = now c then A else B then Pi = l ncmk now c then Ai else Bi . 

• If P = A\\B then Pi = l llk (Ai\\Bi). 

• If P = 3x A then Pi = l ek 3x A t . 

• If P = p(x) then Pi = lp k p(x). 

The labeling of a declaration D of the form p(x) :- A is defined as l Pi p(x) :- Ai, 
called Di. Finally, the labeled version of a program of the form D. A is Di. A\. 

In practice, we explore the tccp specification, and each time that we find an oc- 
currence of a construct we introduce a new label which identifies such point of the 
program. 

In FigureElwe show the labeled version of the microwave error detection program 
showed in FigurcQJ Note that the structure of the program has not changed, simply 
some labels have been added. 



{l P0 } microwave_error(Door, Button, Error) : — 

{l cl }3D,B,E({l ll2 ({l t3 }te\\(Error=UE])\\ ({l ]U }({k,} tell(Door = [.\D]) || 
{i|lJ({Utell(Button=[_|5]) || 
{l\\s} ({^now 9 } now (Door = [open | D] A Button = [on | B]) then 
||l0 }({Z cll }3£l(K 12 }tell(E= [yes | Bl]))|| 
{t ls }3Sl({fc 14 }tell(S = [off|Bl]))) 

else 

{l cl:i }3El({k le }te\\(E=[no\El]))\\ 
{l P17 } microwave_error(£), B, £)))))■ 

Fig. 5. Example of a labeled tccp program: a simple error controller 



4-1.2 The tccp Structure 

The main point in the modeling phase is the construction of the graph structure 
which represents the system behavior. We define a new graph structure to represent 
the system. The tccp Structure is defined as a variant of the Kripke Structure. 
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Intuitively, a Kripke Structure is a finite graph structure where there could be 
many initial nodes and each node is always related to another one (or to itself). 
Moreover, each state has associated a set of atomic propositions which are true in 
such state. 

The main difference between the two structures is that the definition of a state in 
the Kripke Structure follows the classical notion of state whereas in our structure, 
a state consists of a conjunction of constraints and intuitively it can be seen as a 
set of classical states. 

Let us formally define our tccp Structure. 

Definition 5 

The set AP of atomic propositions is defined as the set of elements 2 of the cylindric 
constraint system C of the tccp language. 

In the rest of the paper we abuse of notation by identifying the meaning of the 
terms constraint, atomic proposition and element. Next we define what a state of 
the tccp Structure is: 

Definition 6 (tccp State) 

Let AP be the atomic propositions in the tccp syntax and L be the set of all labels 
generated during the labeling process described above. We define the set of states 
as S C 2 AP x 2 L . 

Before the definition of the tccp Structure, we define the notion of equivalent 
states. For this, we need the classical notion of renaming of variables. Let y±, . . . , y n 
be n distinct variables. The substitution \x\j j/i, . . . ,x n /y n } is a renaming. 

Definition 7 (Equivalent States) 

Given two tccp states s and s', we say that the two states are equivalent if: 

• the set of labels I C L of s and the set of labels /' C L coincide and, 

• there exists a renaming 7 of variables of the constraints in s which makes 
them syntactically identical to the set of constraints of s' 

In Definition |H1 we define the tccp Structure. Observe that the differences w.r.t. 
a Kripke Structure are the definition of state (in Definition |HJ and the two labeling 
functions C and T which replace the labeling function L of the classical Kripke 
Structure. 

Definition 8 (tccp Structure) 

Let AP be a set of atomic propositions, we define a tccp Structure M over AP as 
a five tuple M = (S, S , R, C, T) where 

1. S is a finite set of states. 

2. So C S is the set of initial states. 

3. R C S x S is a transition relation. 

4. C : S — > 2 AP is the function that returns the set of atomic propositions in a 
given state. 



2 See the definition in Section l2l 
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5. T : S — > 2 L as the function that returns the set of labels in a given state. 

We assume that a transition in the graph represents an increment of one time- 
unit in the system. Intuitively, C labels a state with the set of constraints true 
in such state. In other words, this function represents the new information that 
we know in a specific instant. T labels each state with the set of labels associated 
to agents that must be executed in the following time instant. In other words, T 
represents the point of execution in each instant (or state). 

When two states s and s' are related by R(s, s'), it means that it is possible to 
reach the state s' from state s by executing the agents associated to the labels in 
T(s) with the store C(s) deriving as a result (by applying the renaming 7) the 
store C(s') and the point of execution T(s'). In other words, given a state s and a 
renaming 7, we obtain a state s' whose store is C(s') ■ 7. 

Given a tccp Structure Z — (S,Sq,R, C, T), we define tr(Z) as the set of se- 
quences of states of Z starting from an initial state and which are related by R: 

tr(Z) = {s I a = s ■ s x • • • s n ■ ■ ■ A s € S A Vi > 0, 3R(s t , s l+1 )} (1) 

Which intuitively means that for each Si, there exists a transition to the (re- 
named) state Si+i • 7,. 

4.. 1.3 Construction of the model 

In this section we show how the tccp Structure that represents the system behavior 
is constructed from a labeled specification S in an automatic way. We present the 
pseudo-code of the necessary algorithms for the construction. Moreover, we show 
the complexity of such algorithms and explain the process from a theoretical point 
of view. 

Intuitively, the construction evolves as follows. A process is composed by a set of 
clauses and a goal. A specification is a set of clauses. We describe how a specification 
(or declaration) can be transformed in a set of tccp Structures. Actually, for each 
different clause we construct a tccp Structure which is labeled with a unique name. 
This name can be used as one of the labels introduced in the program and is used 
when a procedure call refers to such clause. We consider that the declaration Di 
of the form p(x), :- Ai is a public information which is always available. We also 
assume that each label I a is associated with the agent A. 

The first algorithm that we show is the main procedure construct(I?) (Figure [BJ 
which, given a tccp declaration Di of the form l p p(x) : —Ai, returns a tccp Structure 
Q = (S, Sq, R, C, T) representing the behavior of p. 

We define globally a data type called state which represents a state of the tccp 
Structure. We assume that store is a conjunction of constraints and label is a set 
of labels in L. 

state : 

st : store; 
£[]: label; 
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In our pseudo-code, we use the dot notation to access to the components of a 
state. Moreover, we use the notation [] for lists of elements, thus £[] is a list of 
labels. The K value is a possible value of a store denoting unsatisfiability. 

Finally, we simplify the treatment of functions C and T. Although we do not 
mention them in the algorithm itself, these functions correspond to the two com- 
ponents of the state structure of the algorithm. We also write R(n, n') to describe 
that nodes n and n' are related. 



construct (input D : tccp declaration, 


output (S, So, R, C, T) : tccp Structure) 


s : state; 




S' , Sq : set of states; 




inf[] : store; 




lab[] : set of labels; 




j : int; 




S' = 0; 


// denotes the empty set 


Si = 0; 




inf = instant(true, Ia); 


// lp P (x) : -A t 


lab = follows^); 




for j = 1 to sizeof (inf) 




if inf[j] <> N then 




s = create_node(inf[j], lab[j]); 


C{s) = inf[j]; 




L(s) = lab[j]; 




5" = 5"u{s}; 




Sq = S ; 




construct_ag(S", Sq, R' , C", T'); 




S — S'i Sq — Sq '. R = R' ; 




C = C; T= T'\ 





Fig. 6. Description of the construction algorithm 

Roughly speaking, in this algorithm the tccp Structure is initialized and the set 
of initial states is created. Then the function construct_ag (Figure[?I) is called. This 
function iteratively completes the construction. Functions instant and follows are 
two auxiliary procedures used during the construction of the tccp Structure. We 
show them below. 

Now we show (Figure |7J) the constmct_ag procedure, which uses two more aux- 
iliary functions: the find(s,5) function, which returns a reference to the state in 
S which coincides (modulo renaming of variables) with s, and the perm function 
which, given two states, returns the necessary renamings which make them equiv- 
alent. 

Given a label 11, follows(n) returns the list which contains the labels associated 
to the agents that must be analyzed in the following time instant. Each element 
of the list corresponds to a different possible behavior of the system. For example, 
in the case of a conditional agent, the initial part of the list corresponds to the 
possible behaviors when the guard of the agent is satisfied, and the final part of 
the list corresponds to the case when it is not satisfied. Therefore, if two or more 
conditional agents are nested, then all the possible behaviors depending on the first 



14 



M. Falaschi and A. Villanueva 



construct_ag(input / output S[] : state; input So[] '■ state 
input/output R : relation, C, T : function) 
statl, stat2 : state; 
s[], acc[] : state 
inf[] : store; 
lab[] : set of labels; 
rn : renaming of variables; 
j,k : int; 

acc = S; 
j = 0; 

while acc <> do 

statl = select(acc); 
acc = remove(acc, statl); 
inf = instant(statl. st, statl. I); 
lab = follows(statl. £); 
for k=l to sizeof(inf) 
if inffk] <> K then 

s[j] = create_node(inf[k], lab[k]); 
stat2 = find(s|>'], 5); 

if (stat2) then / / there exists an equivalent state 
rn — perm (s [j], stat2); 
7?(statl, rn, stat2); 

else 

i?(statl,{},s[j]); 

j = j + 1; 
S = 5U{s[j]}; 
acc = acc U {s[j]}; 
C\j] = inf[k]; 
L\j] = lab[k]; 



Fig. 7. Description of the construction algorithm for agents 

then part will appear before those of the else part in the list. Since tccp restricts 
the number of nested conditional agents in a program, we can ensure that this 
algorithm terminates and the list of sets of labels is finite. 

The follows algorithm uses two additional auxiliary functions, append and com- 
bine, which are functions that implement operations over lists: append(^i, £2) returns 
the concatenation of the two lists l\ and £2 whereas combine^, £2) constructs a 
new list whose elements consist of an element of £\ and an element of £2 ■ For ex- 
ample, if l\ = {{h},{h}} and £2 = {{fa}}, then the result of combine^!, £ 2 ) is the 
list {{h,h},{k,h}}. 

We can show that the complexity of the algorithm showed in Figure |S| is expo- 
nential in the maximum number of nested agents in the specification. The high 
complexity is a theoretical case which does not occur in practice. We think that the 
complexity in practical cases should be semi-linear on average. 

Lemma 1 

The time complexity for the algorithm follows( J 4) presented in Figure|Hlis 0(n*2 m ) 



Automatic Verification of Timed Concurrent Constraint Programs 



15 



list_of_sets_of .stores follows(ZZ : label) 
€D,4D,^aD : set_of .labels; 
n, i, j : int; 

case A of //we assume that A is the agent associated with 11. 

stop : f[l] = {}; 
tell(c) : £[1] = {}; 

J2i=i as k(ci) — > A, : for j = 1 to n 

m = w, 

£[n + l] = {//}; 
now c then _Bi else B2 : ^1 = follows (Ib 1 ); 

£2 = follows(/s 2 ); 

£ = append(£i, £2); 
Si |[fla : £ = combine(follows(/_g 1 ), follows(?s 2 )); 
3a; _Bi : £ = follows(Zfl 1 ); 

p(x) : £ = {Z p }; / / where l p represents the label 

//of the tccp Structure constructed for p 

end case; 
return £\ 

Fig. 8. Description of the auxiliary algorithm follows(ZZ) 

where m is the maximum number of nested agents and n is the size of the list 
returned by follows( J 4). 

Proof 

First of all, we know that the agent A has a finite number of nested agents. Moreover, 
we can see that the cost of the algorithm in the case of Tell and Stop agents is 
constant since follows(^4) = {} in such cases. The cost is constant also in the case 
of Procedure Call agents since follows(p(x)) returns a single label. For the Choice 
agent, the cost depends on the number of asks contained in the agent. Therefore, 
given the agent X)"=i as k( c i) — * ^-ii the cost will be n + 1. In addition, we know 
that the maximum number of nested recursive calls is 2™ which corresponds to 
the worst case: when every nested agent is a parallel or conditional agent. Note 
that in these cases, the functions combine or append are used. These are indeed the 
expensive operations which we count. We assume that the cost of these functions 
is linear in the size of the resulting list. 

Thus, the time complexity of the worst case is 0(n * 2 m ). □ 

Next we show the second auxiliary function needed during the automatic con- 
struction of the model (see FigureOU). Given a store and a label, instant(c, 11) returns 
a list of stores which corresponds to the information which can be computed instan- 
taneously (i.e., before the following time instant) by executing the agents associated 
with the label U. In this algorithm we have marked the negation not(c) with a star 
to indicate that the semantics of negation is defined as the non satisfiability of c 
instead of the satisfiability of -ic. The instant procedure uses the auxiliary function 
flat(st,/7) (Figure ITUf which adds the constraint st to each element of the list 11 
returning a simple list of stores. If st is inconsistent with any element of the list, 
then the value of the element is set to K. 
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list_of_stores instant(inpitt st : store, 11 : label) 
s[], siQ, «2 0: store; 
j: int; 

case A of / / we assume that 11 is associated to the agent A 

abort : s[l] = true; 
tell(c) : s[l] = c; 

2i*=i ask(di) — * : for j ' = 1 to n 

bD] = {4}; 

s[n+l] = true; 
now rf then _Bi else B2 : si = flat(s£, instant(st LI cf, fej)); 

S2 = flat(si, instant(not*(ti) U si, Ib 2 ))", 
s = append(si, 52); 
B\\\B2 : s = combine(instant(si, Ib x ), instant(si, fa 2 )) 
3x B\ : s[l] = {si[y/a;]} U instant(s<, //where ?/ is a fresh variable 
p(x) : s[l] = true; // where p(s) :: {Ib 1 }B\ is a 

// clause of the specification 

end case; 
return s; 

Fig. 9. Description of the auxiliary algorithm instant(s<, 11) 



list_of_stores f\at(input st : store, : store) 
s[]: store; 
j: int; 

for j = 1 to sizeof(H) 

if ll[j] U st = false then 
8 [j] = N; ' 

else 

s[j] = ll[j] U st; 

return s; 

Fig. 10. Description of the auxiliary algorithm f lat(st, ZZ) 

It is easy to see that the time complexity of flat is linear on the size of the list. 
Lemma 2 

The time complexity for the algorithm flat(c,ZZ) presented in Figure ITUI is O(n) 
where n is the number of elements in the list U. 

Proof 

The proof is trivial since we iterate n times over the elements of the list. □ 

The complexity of the algorithm instant showed above is exponential in the max- 
imum number of nested agents in the specification. Note that also in this case, this 
is a theoretical case which may only occur very rarely in practice. We think that 
the complexity in practical cases should be semi-linear on average. 

Lemma 3 

The time complexity for the algorithm instant(st,^4) presented in FigureElis 0(n * 
2 m + 2n) where m is the maximum number of nested agents and n is the cardinality 
of the list of stores returned by instant(st,^4). 



Automatic Verification of Timed Concurrent Constraint Programs 17 

Proof 

We know that the agent A has a finite number of nested agents. We also know that 
if the agent is a Stop, Tell or Procedure Call agent, then the cost of the function is 
constant. If A is a Choice agent, then we have a linear cost, in particular we have 
0{n + 1) since there is an iterative loop over the number n of guards in the Choice. 

Now let us consider the three remaining cases. For both the Conditional and the 
Parallel agents we have two recursive calls, whereas for the Hiding agent we have a 
single recursive call. We assume that the combine and append functions are linear 
in the size of the two lists passed as argument (i.e., we take 0(n) where n is the 
number of elements in the resulting list). 

Therefore, we can say that the upper-bound for the global complexity of the 
algorithm is 0(n * 2™ + 2n) where m is the maximum number of nested agents. 

□ 

Now we can analyze the complexity of the construct algorithm. First of all, we 
state the complexity for the construct_ag function. 

Lemma 4 

The time complexity for the algorithm construct_ag(S', So, s, R, C, T) presented in 
Figure0is 0(c * m * 2 m ) where m is the maximum number of nested agents, and 
c is the number of states in the model. 

Proof 

By Lemma |21 and Lemma ^ we know the complexity of the auxiliary functions. 
Moreover, we know that select and remove take linear time and we assume that 
create_node has constant complexity. We know that the while loop will be executed 
c times, where c is the number of different states in the model. 

We can see that each time the loop is executed, we have one procedure call to 
each auxiliary function. Moreover, we have a for loop which is executed at most 
m + 1 times. Therefore, the cost of the for loop is 0(m) and the cost of the while 
loop is 2c * (m * 2 m ). We ensure the finiteness of the number of states since we 
know that there is a finite number of combinations of labels and constraints (which 
appear in the specification) modulo renaming. □ 

Theorem 1 

The time complexity for the algorithm construct(D) presented in FigureEJis 0(c * 
(2m*2 m )) where m is the maximum number of nested agents and n is the cardinality 
of the resulting list. 

Proof 

We know the cost of the auxiliary algorithms. Following the structure of the algo- 
rithm, we can see that there is one call to the construct_ag function. In addition, we 
have a procedure call to the algorithm instant and follows. Then, we have to add the 
cost of such algorithms: 0(2n *2 m + c * (2m * 2 m )). We have also a for loop which 
is executed at most m times. Therefore, we obtain the global complexity given in 
this result. □ 
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Let us now explain intuitively the idea of algorithm showed in Figure Each 
time an agent is analyzed, some actions are executed. In the following description 
we show the intuitions behind the formal definitions: 

Stop S = stop. When we find a stop agent, we add no information to the store, 
insert a self-loop over the new node and instantiate the set of labels to the empty 
set since the construction must be concluded. 

Tell S = tell (c) . The new information c is introduced into the store and the label 
associated to S is removed from the labels to be executed. 

Choice S = J27=i as ^( c i) ~~ ¥ ^i- This agent leads to a set of corresponding 
branches in the graph. We introduce at most m + 1 branches with m < n, one for 
each possible successful ask guard. Note that if a Cj condition is not consistent 
with the store C(s) then the corresponding branch will not be generated. For 
each new node s[, we define the transition i?(s, s[ ■ 7) where 7 is the renaming 
obtained when new nodes are generated, and we define an extra arc R(s, s m +i -7) 
that corresponds to the case when the store does not entail any condition c, but 
the execution of concurrent agents proceed (if there are no concurrent agents or 
there exist but they cannot proceed, then s m +i = s thus a self-loop is intro- 
duced). Moreover, we do not introduce any additional information into the store 
and the labels are updated. 

Conditional S = now c then A else B. The construction process in this case follows 
the same idea as for the choice operator: we define two new nodes (s( and s^) 
that correspond to the two possible behaviors. The first branch corresponds to 
the case when the store entails c. It is added to the store the information that the 
agent A can generate in a single time instant. Also the set of labels is updated. 
The second branch is defined in a similar way. 

Parallel S = A\\B. When a parallel agent is analyzed, the new node generated 
depends on the execution of the agents A and B in the present time instant. This 
means that the new store is defined as the union of the information obtained 
from the execution of A and B (if it is possible to execute them) . Also the set of 
labels depends on these two agents. 

Hiding S = 3x A. The behavior of the hiding agent is modeled in the graph 
construction by the introduction of the necessary renaming of variables in the 
store. 

Procedure Call S = p(Xi, . . . , X n ). When a procedure call is reached we finish 
the process by introducing in s' a reference to the initial node of the tccp Structure 
for p. If there are more concurrent agents that must be analyzed, then we continue 
by considering the tccp Structure already generated for such clause (with the 
necessary renaming of variables). We link the current node s with a simplified 
copy of this piece of structure. The simplification consists in eliminating the 
branches whose condition is inconsistent with the constraints derived by the 
other (parallel) agents. Thus, the new node s' depends on the execution of the 
other concurrent agents and the body of the clause for p. 

If there are two (or more) procedure calls in parallel the process is similar and 
as many nodes as different possible behaviors are generated. 
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In order to illustrate the construction process, in Figure ITD we present the con- 
struction of the tccp Structure for the program in Figure Remember that this 
program simply detects if the door is open when the microwave works and in that 
case turns the system off and emits an error signal. 




Fig. 11. Construction of the tccp Structures for the example showed in Figure 0] 

We can see how, for the first time instant, two nodes corresponding to the 
two possible behaviors of the conditional agent have been generated in the spec- 
ification (nl and n2). Now look at the node nl where we have that L(nl) = 
{It3, Itl2, It5, It7, Itl4, Ipl7}. This means that in order to continue with the graph 
construction we have to try to execute the agents associated with such labels. The 
tell agents update the store with the information that an error combination has 
been encountered and in the next time instant a stop signal will be present. This is 
important because when we try to execute the procedure call associated with lp 17 , 
only one of the two possible branches can be followed. 

When we generate new nodes and the corresponding connecting arcs we should 
consider formulas which are renamed apart. Note that if we find a node equal (up to 
renaming) to another one, a loop will be formed in the graph and the construction 
following this branch will terminate. 

Next we show an additional example which may be useful to understand the 
construction. Given the program 

p(i):-3v(tell(a:=/(i/))||p(y)) 

the constructed tccp Structure is shown in Figure IT51 Note that, in each state, we 
store the new information added during a single time instant, thus the store of the 
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program at a time instant k is given by the union of the information added along 
the path in the structure, after making k loops. For instance, after 3 time instants, 
the derived information is the following: {x = f(y), y = f(y')}. Roughly speaking, 
each time we loop on the second node, a renaming of variables which form the 
constraints in the store is performed. Thus, the renaming {x/y,y/y'} where y' is 
a new variable, defines the new constraint y = f(y'). Following the syntax of the 
program, x = f(y) and y' = f(y") are introduced by the tell agent in the first and 
second time instant respectively. Note that we show the store after 3 instants of 
time since the information produced by a tell agent in a given time instant (for 
example, the second), does not appear in the store till the following time instant. 
This is due to the fact that tell agents take one time instant. 



In this section we prove the correctness and completeness of the automatic construc- 
tion of the model. We first introduce a function which extracts the information from 
the states of the tccp Structure. We define st as the set of sequences of the form 
{t | t = Ci • C2 • • • c n • ■ •} where c; is a finite constraint. 

Definition 9 

Given a tccp Structure Z and s G tr(Z) of the form sq ■ si • . . ., we define the function 
S s : tr{Z) — > st as follows: 



IpO 



{} 



1 




Fig. 12. Construction of the tccp Structures 



4-1-4 Correctness and Completeness 
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where 6(si) is defined as 

S(si) = L>o<j<iC(sj) 

The extension of 5 S to sets of sequences is made in the obvious way. 

The following theorem shows that the defined graph construction is correct and 
complete. In other terms it shows that the set of traces which correspond to the tccp 
structure Z is the same given by the operational semantics of the tccp specification 
5*. 

Theorem 2 

Let Z be the tccp Structure corresponding to the tccp specification S. Then the 
construction Z is correct and complete since 

S s (tr(Z)) = O(S) 

Proof 

Let us first define an equivalence relation ~ between configurations of the opera- 
tional semantics presented in Figure and graph states. Let cr(F) be the store in 
configuration F, then we extend a over sequences of configurations in the obvious 
way. In the graph, stores are 'extracted' by using function C . Then, we say that 
a configuration T corresponds to a tccp state s if C(s) h a(T) and a(T) h C(s), 
and the 'active agent' (namely one agent immediately reducible given the store in 
the current configuration) in F corresponds to that selected for reduction in s; we 
denote this by T ~ s. 

A trace t of the form so, ■ . ■ , Si, . . . in a tccp Structure Z and a derivation (trace) 
7 = 70, . . . , 7t, . . . in the operational semantics of a specification S correspond iff 
S s (t) = 7, i.e., Mi S(si) ~ 7*. We must prove that all (the partial) paths in the 
tccp Structure Z generated from the specification S have an equivalent trace in the 
operational semantics of S and vice-versa. 

Let us first prove that 8 s {tr{Z)) C 0{S). 

We proceed by induction on the length of the partial trace n in Z and on the 
structure of the agent A selected in step n. Note that each node in the tccp Structure 
has a finite number of successors, thus we can reason about all of them. 

The basic case for n = is trivial, since the tccp Structure Z is based on the same 
initial state so considered in the operational semantics. Let us consider the inductive 
case, i.e., n > 0. Thus, let us consider the trace s , . . . ,s n in Z. We assume, by 
inductive hypothesis, that there exists a corresponding partial derivation 70, . . . , 7„ 
in O(S). We now prove that, if a further step is made in Z starting from s n , it is 
possible to make a further step starting from j n in O(S) and the new states still 
correspond. Let tt = sq, . . . , s n € tr(Z) and let A be the active agent selected in s n . 
We have to consider several cases corresponding to the possible structure of A. 

Tell A = tell(c). Let C(s n ) — d and T(s n ) = {hell}- Then, we have the trace 
7 G O(A) with 7 = 70,71, ■ ■ ■ , 7 n and 7„ = (A, d), where s n and 7„ correspond 
by inductive hypothesis. By the definition of the construction of the structure 
and the operational semantics we have that C(s n+ i) = {c U d}, T(s n+ i) = {} 
and 7n+i = (0, c U d) which correspond, thus s„+i ~ 7 n +i- 
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Choice A = Y^T=i as k( c i) — * -^*- Let C{s n ) = d and T(s„) = {fcsk}- Then, wc 
have the trace 7 S C(-A) with 7 = 70,71, • ■ • ,7n and 7« = (A, d). By inductive 
hypothesis we have that s n ~ 7„ . By definition of the construction of the structure 
and the operational semantics we have two cases: the first case is when there is 
no a such that d h a , then in the construction of the tccp Structure there will 
be a loop, thus the state s n+ i actually is the state s n whereas in the operational 
semantics there is no possible transition. In this case we just take 7«+i = 7„, 
and clearly s n+1 ~ 7„+i. 

The second case is when there exists a a such that d h Cj. This means that we 
have C(s„ + i) = {d} and T(s n +i) = {U,}- It is clear that by selecting A in 7„, 
we derive 7«+i, which corresponds to s n +i. 

Conditional ^4 = now cthen else^- Let C(s n ) = d and T(s n ) = {l now }. Then, 
there exists a trace 7 G 0(^4) with 7 = 70,71, • • • ,7« and 7„ = (A, d), such 
that, by inductive hypothesis, s„ ~ 7„. By definition of the construction of the 
structure and the operational semantics we have two possible behaviors: cither 
d h c or d \f c. In the first case, C(s n +i) = {dUinstant(d, /a„+i)} an d T(s n+1 ) = 
follows( J 4 n+ i). On the other side, we have 7 n +i = (A[, d') where A[ is the agent 
reached by the execution of A\ and d' the new store with the information added 
by the execution of A\. Clearly s n+ i and 7„+i correspond. The case when d\f c 
is similar, considering A<i for reduction. 

Parallel A = 1 1 A 2 . Let C(s n ) = d and T(s n ) = {l\\}- Then, we have the trace 
7 € O(A) with 7 = 7o,7i,...,7„ and 7„ = (A, d). By inductive hypothesis 
s n ~ 7n- By definition of the construction of the structure and the operational 
semantics we have that C(s n+ i) = {d U instant(d, Ia„ +1 ) LI instant(d, Ia 2 )} an d 
T(si) = {follows(^i) U follows(^ 2 )}. Then, we have 7„+i = (i4i||^,d') where 
A[ (A' 2 ) is the agent reached by the execution of A\ (A2) and d' is the new store 
with the information added by the execution of A\ and A^. Hence s n +i ~ 7«+i- 

Exists A — 3x A\. Let C(s n ) = d and T(s n ) = {l c }. Then, we have the trace 7 G 
O(A) with 7 = 70, 71, ■ • • , 7n an d In = (A, d). By inductive hypothesis s n ~ 7„. 
We know that C(s n+ i) = {d U instant(d, Note that instant(d, Ia^/x]) 

represents the information generated in one time step by the agent -Ai^/x] which 
is the result of the application of the substitution y/x to the agent A\ and 
T{s n+ i) = follows(^i). y is a fresh variable, thus the information generated by 
Ai involving such variable will not affect the rest of the system. 
Now, following the operational semantics we derive that 7«+i = (3 e xB, d U 
3 X e'}, where (A\,3 x d) — > (B, e'). Thus, we can identify e' with the information 
generated from agent Ai, and s n +i and 7 n +i correspond. 

Procedure Call A = p(X). Let p(X) : —B be a clause in the program (in the 
specification S). Let C(s„) = d and T(s n ) — {l p }. By inductive hypothesis, 
there exists the trace 7 = 70, 71, . . . , 7« € 0(^4) and 7„ = (j4, d). We have that 
s n+ i = N where N is the first node of the tccp Structure constructed for p(X). 
We have that C(s„+i) = C(s n ) and T(s n+ i) = Is- By expanding the procedure 
call in the operational semantics we get 7«+i = (B, d), which clearly corresponds 
to s n+ i. 
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Now we have to prove that O(S) C S s (tr(Z)). This is completely analogous to 
the inclusion that we have proved. □ 

5 Specification of the property 

In this section we present the logic which we use in our model checking algorithm. 
This is a temporal logic which has also the ability to handle constraints of a given 
constraint system. In IjBoer et al. 200 the authors presented a temporal logic 
for reasoning about tccp programs. In particular, it is an epistemic logic with two 
modalities, one representing the knowledge and the other one representing the 
belief. These two modalities allow us to reason with the input-output behavior of 
programs. 

Given an atomic proposition c of the underlying constraint system, /C(c) and 23(c) 
are formulas of the logic which mean that c is known or c is belief respectively. 
In other words, 23(c) holds if the process assumes that the environment provides c 
whereas JC(c) holds if the information c is produced by the process itself. 

The syntax of temporal formulas for this logic is shown below (see QBoer et al. 2001 ) 
for details): 

Definition 10 

Given an underlying constraint system with set of constraints C, formulas of the 
temporal logic are defined by 

</> ::= K(s) | 23(s) | -.0 | <f> A if> | 3x<j> | o<£ | <t>U ip 

As for classical temporal logics, it is possible to define other logic operators 
such as the always or eventually operators from the basic ones. For example, if we 
want to express that a formula (f> is satisfied at some point in the future, we write 
that 00 = trueU 4>. To express that a formula <fi is always satisfied, we can write 
that □ (</>) = -^(trueU -><fi). Moreover, as usual we denote by <p — > ip the formula 

-^cj) v (<MV). 

A reaction is defined as a pair of constraints of the form (c, d) where c represents 
the input provided by the environment and d corresponds to the information pro- 
duced by the process itself. Moreover, it holds that d > c for every reaction, i.e., 
the output always contains the input. 

The truth value of temporal formulas is defined with respect to reactive sequences, 
(ci, d\) ■ ■ ■ (cn, d n )(d, d) denotes a reactive sequence which consists of a sequence of 
reactions. Each reaction in the sequence represents a computation step performed 
by an agent at time i. Intuitively each pair can be seen as the input-output behavior 
at time i. 

Therefore, given a reactive sequence s we can define the truth values of for- 
mulas. The function first(s) returns the first reaction of a sequence, i.e., if s = 
(ci, d\) ■ ■ ■ (cn, d n )(d, d) then first(s) = (c\,d\). next(s) returns the sequence ob- 
tained by removing the first reaction of it, i.e., if s = (ci, d\) ■ ■ ■ (c„, d n )(d, d) then 
next(s) = (c 2 , da)--- (c„, d n )(d, d). 

We say that (c, d) |= 23(e) if c h e, i.e., the reaction "believes" the constraint e if 
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the first component of the reaction (c) entails e. Moreover, (c, d) \= JC(e) if d h e, 
i.e., the reaction (c, d) "knows" the constraint e if its second component entails e. 
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Definition 11 {by F. de Boer et al.) 

Let s be a timed reactive sequence and be a temporal formula. Then we define 

s |= <t> by: 



s \= £(c) 


if 


first(s) \= fC(c) 


s h B(c) 


if 


first(s) h B(c) 


s |= -.</> 


if 


s ^0 


S |= 01 A </) 2 


if 


s |= </>i and s \= 4>2 


s |= 3x<f) 


if 


s' \= for some s' such that 3^5 = 3 x s' 


s \= 0(f) 


if 


next(s) |= 


s \= 0W-0 


if 


for some s' < s, s' \= ip and for all s' < s" < s, s" 



where, for a sequence s = (ci, di) ■ • • (c„, d n ), we define the existential quantification 
B^s = (3 x ci,3 x di) ■ ■ ■ (3 x c n , 3 x d n ). 

We say that a formula is valid (|= 0) if and only if for every reactive sequence s, 
s |= holds. The reader can see that the modal operators K, and S are monotonic 
w.r.t. the entailment relation of the underlying constraint system. 

In this work we want to reason about tccp programs. Since the store of such 
programs evolves monotonically along the time, the notion of monotonically in- 
creasing reactive sequences is defined: let s be a reactive sequence of the form 
(ci, d\)- ■ -(c n _i, <i„_i)(c„, d n ), then we say that s is monotonically increasing if it 
satisfies that Cj < di and dj < Cj+i for each i £ {I, . . . , n} and j £ {I, . . . , n — 1}. 
From now on we consider only monotonically increasing reactive sequences. In Ta- 
ble some properties of the logic operators are shown. 



Table 1. Logic Operators Properties 



B(c)- 


- °(B(c)) 


K{c)- 


► □(/C(c)) 


B(c) 


-»/C(c) 


/C(c)- 


-^oB(c) 



Therefore, whenever a constraint is believed in a specific time instant, then it will 
be believed also in all the following time instants. Moreover, if a given constraint is 
known at the present time instant, then it will be known at every time instant in 
the future. 

Finally, we can define a relation between modal operators. In particular, we say 
that if a constraint c is believed at a specific time instant, then it is also known. 
Also, if the constraint c is known at a specific time instant, then it is believed at 
the following one. 

The logic presented in this section can be seen as a kind of linear temporal 
logic. The reader can see that there are no quantifiers over alternative paths. It 
is considered that each instant of time has only one direct successor. If fact, if we 
compare this logic with the classical LTL logic (see l|Clarke et al. 1999j> for example) 
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we can see that each temporal operator corresponds to a temporal operator from 
LTL. 

As we have said in the introduction, in model checking we assume a closed world 
in the sense that all the agents which can interact with the system are modeled. 
For this reason, the output in a time instant will always coincide with the input 
in the following time instant, i.e., it is not possible that other information different 
from the one generated by the model be introduced as an extra-input in any time 
instant. This mean that we can work with simple sequences of stores instead of 
working with sequences of reactions. We simply eliminate (or ignore) the second 
component of each reaction since it coincides with the fist one of the subsequent 
reaction. 

^From now, when we speak about sequences in the logic, we mean sequences of 
the form s = sq,s\, . . . where each Si is a store and we omit the modal operator /C. 
The monotonic properties described above are maintained. 



5.1 Some examples 

Here we illustrate which kind of properties we are able to specify using this logic. 
We refer to the program example in Figure^ Remember that such example models 
a very simplified program which controls the state of the door of a microwave. 

We could check if it is true that when an error is detected, then the microwave 
has been turned-off. Actually, the error has occurred in the previous time instant 
since the door was open and the microwave was working, but the program can 
emit the error signal only in the following time instant, and at the same time the 
microwave should be turned-off. 

The following formula represents such property. 

-.(true W-'3{Error,E,Button,B} (Error = [no I E]y 

(Error = [yes | E] A Button = [off | B]))) ( ' 

It could seem that it is a complicate formula but if we think in terms of the always 
and eventually operators defined before, it becomes a very intuitive formula: 

□3 {Error , EiB utto„,B} (Error = [no | E] V (Error = [yes | E] A Button = [off | B})) 

We can also model the property that the door will be eventually closed: 

03 { Door,D}(Door= [close I D]) (3) 

Let us now remark the importance of the chosen logic in this work. We know 
that states of the tccp Structure represent only partial information. Therefore, if 
we want to check properties directly in the tccp Structure, then we need a logic able 
to handle partial information, as is the case of the logic presented in this section. 

If we use any classical logic, we should consider each possible valuation of the 
variable values for each tccp state. In that case we had the same problem as in 
UFalaschi et al. 20fl0al IFalaschi et al. 20t)f)bjl . i.e., we would not take advantage of 
the compact representation of the system that constraints can provide. Finally, the 
model-checking algorithm would not be effectively applicable for the state-explosion 
problem. 
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6 The algorithm 

The third and last phase of the model-checking technique is to define the algorithm 
which checks if a given temporal formula is satisfied by the model. The idea of 
the algorithm is similar to that for the classical tableau algorithm for the LTL 
model checking problem. The first thing is to construct the closure of the formula 
that we want to verify. Such closure is reminiscent of the Fischer-Ladner's one 
HFischer and Ladner 19 79) . 

Actually, if we intend to prove that the model satisfies the formula 0, then we 
construct the closure of the negated formula (—0). The atomic propositions of the 
logic are those of the underlying constraint system. The closure of the negated 
formula and the tccp Structure are used to construct a graph structure (called the 
model-checking graph). This graph structure consists of nodes of the form (q, $) 
where q is a state of the tccp Structure and $ is a set of formulas from the closure of 
—0. The constructed graph structure allows us to verify if the property is satisfied or 
not by the system by using well known graph algorithms. In particular, we look for a 
path which starts from an initial state and reaches a strongly connected component 
(SCC) which satisfies some properties. If such path exists, then we can say that the 
property —0 is satisfied, thus is not satisfied in the model of the system. In this 
section we describe this process more in detail. 

The construction of the graph combining the formula and the model might not 
terminate. It is for this reason that we use the interval of time which the user pro- 
vides to the system. This interval imposes a time limit. If such time limit is reached, 
the system aborts the construction of the graph. The idea is that if this occurs, then 
we have obtained an over-approximation of the model, which nevertheless allows 
us to make useful verifications over the finite graph calculated. 

6. 1 The closure of the formula 

The closure CL((f>) of a formula allows us to determine its truth value. Intuitively, 
it is the set of sub-formulas that can affect the truth value. This set is used classically 
to define tableaux algorithms where sub-formulas are evaluated as follows: simplest 
formulas are evaluated first, then more complex formulas are considered. Thus, we 
can say that the closure of (CL(<fi)) is the smallest set of formulas satisfying the 
following conditions: 

• <f> G CL{(j>), 

• -0i G CL(<j>) iff 0i G CL{4>), 

• if 0i A 02 G CL(4>), then 0i, 2 G CL{4>), 

• if 3a;0i G CL{4>), then 0i G CL{<j>), 

• if O 0i G CL(0), then 0i G CL(0), 

• if -1O01 G CL(0), then 0-01 G C£(0), 

• if 01^/02 G CL{4>), then 0i,02,O0iW0 2 G CX(0). 

Note that in the case of -o 0i it is necessary to introduce the formula o —01 
which cannot be generated by the other rules. 



28 



M. Falaschi and A. Villanueva 



Now we consider the microwave program example. The formula (J2J) for which we 
calculate the closure is that presented in the previous section. 

Example 1 

For the program showed in Figure 0] we construct the closure of the formula which 
we want to verify, starting from the negation of Formula J2J) . Note that we assume 
that -i—xj> — (j). We also change in the obvious way the disjunction operator into a 
conjunction: 

true U (-.(Error=[no | E\) A -.(Error=[yes | E] A Button=[off | B])) (4) 

Then, we show the closure of the formula. Note that the size of the set of formu- 
las in the closure increases polynomially with the size of the formula (meaning the 
number of operators in the formula) . 

CL( X ) = {true U (-.(Error = [no | E]) A -.(Error = [yes | E] A Button = [off | B})), 
true, 
false, 

-.(Error = [no | E]) A -.(Error = [yes | E] A Button = [off | B]), 
-.(Error = [no j E]), 

-.(Error = [yes | E] A Button = [off | B]), 

-.(-.(Error = [no | E}) A ^(Error = [yes | E] A Button = [off | B})), 
Error = [no | E] , 

Error = [yes | E] A Button = [off | B] , 
Error = [yes | E] , 
Button = [off | B], 
-.(Error = [yes E]), 
-.(Button = [off | B}), 

OtrueU (-.(Error = [no | E]) A -.(Error = [yes | E] A Button = [off | B})), 
-^(otrueU (-.(Error = [no | E}) A -.(Error = [yes | E] A Button = [off | B]))), 
O -^(true U (-.(Error = [no | E\) A -.(Error = [yes | E] A Button = [off | B]))), 
^(true U (-.(Error = [no | E]) A -.(Error = [yes | E] A Button = [off | B}))) 
} 

6.2 The model- checking graph 

Given a formula cf> of the logic described in Section and the tccp Structure Z 
constructed from the specification, the graph G(4>, Z) is defined as follows 

Definition 12 {Model- Checking Graph) 

Let <p be a formula, CL((f>) the closure of <f> as defined in Section l?TT1 and Z the tccp 
Structure constructed following the algorithm described in Section l4.f .31 A node n 
of the model-checking graph is formed by a pair of the form (s„, Q n ) where s n is a 
state of Z and Q n is a subset of CL(<fi) and the atomic propositions such that the 
following conditions are satisfied: 

• for each atomic proposition p, K,{p) £ Q n iff P £ C{s n ), 
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• for every 3xfa G CL(fa, 3xfa G Q„ iff 3 x fa G C(s n ), 

• for every fa G CL(fa), fa G Q„ iff --01 ^ Q„, 

• for every fa A fa G CL(fa),fa A fa <E Q„ iff 0i G Q„ and 2 G Q„, 

• for every ->ofa G CL(fa,^ofa G Q„ iff O->0i G Q n , 

• for every fa U fa G CL{fa), faUfa G Q„ iff </> 2 G Q n or fa,ofaU fa G Q„. 

An edge in the graph is defined as follows: there will be an edge from one node 
n i = ( s ij Qi) to another node n% = (52, Q2) iff there is an arc from the node s% to 
the node S2 in the tccp Structure and for every formula ofa G CL(fa), ofa G Q\ iff 
01 G Q 2 . 

Note that, in the definition above, when we take into consideration the set of arcs 
of the tccp Structure (when analyzing the formulas containing the next operator), 
we also consider the renaming that may label these arcs. 

Intuitively, for each node of the model-checking graph, in Q we have the largest 
consistent set of formulas that is also consistent with the labelling function (the 
function C) of the tccp Structure. Moreover, two nodes of the graph are related if 
the temporal formulas in their Q sets are consistent. 

For each node Si of the tccp Structure many nodes are generated in the model- 
checking graph. All these nodes have as first component the state Sj and the second 
component consists of the different consistent sets of formulas derived from C(si) 
and the closure of the formula. 

Next we show an example to illustrate how the nodes of the model-checking 
graph are constructed. We construct the graph for the negation of the property 
since we intend to prove that there is no computation of the system which satisfies 
the negated property. This is equivalent to prove that the property is satisfied for 
all the computations. 

Example 2 

In this example we show some nodes of the graph which would result from our 
program example. We take the tccp Structure shown in Figure ITTI and the closure 
set of the formula showed in the previous section. 

Here we show two of the nodes generated for si and one of the nodes generated 
for s 2 - 

ni = (s%, Qi) where 

Qi= { 

Door = [open | D] A Button = [on | B], 

true, Error = [no | E], 

-n (Button = [off I B}), 

-.(Error = [yes | E] A Button = [off | B]), 

-.(-.(Error = [no | E}) A ^(Error = [yes | E] A Button = [off | B})), 
Otrue U (-.(Error = [no | E]) A -.(Error = [yes | E] A Button = [off | B])), 
true U (-.(Error = [no | E]) A -.(Error = [yes | E] A Button = [off | B])) 

} 
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n-2 = (si, Q2) where 

02= { 

Door = [open | D] A Button = [on | B] , 

true, Error = [yes | E], 

-.(Button = [off I B]), 

-.(Error = [yes | E] A Button = [off | B]), 

-. (Error = [no | E]) A - (Error = [yes | E] A Button = [off | B}), 

true U (-.(Error = [no | E]) A -.(Error = [yes | E] A Button = [off | 5])), 

Otrue U (-.(Error = [no | E]) A -.(Error = [yes | E] A Button = [off | B})) 

} 

"3 = (*2, Q3) where 
Q 3 = { 

Error = [yes | E], Button = [off | B], 
-.(Door = [open | D] A Button = [on | B]), 
true, 

Error = [yes | E] A Button = [off | B], 

-.(-.(Error = [no | E]) A -(Error = [yes | E] A Button = [off | B})), 
Otrue U (-.(Error = [no | E]) A -.(Error = [yes | E] A Button = [off | B})), 
true U (-.(Error = [no | E]) A -.(Error = [yes | E] A Button = [off | B})) 

} 

Then, following the definition of the model-checking graph, we can define an arc 
from ri2 to 713 since for each formula of the form o <j) in the closure, if it is in Q2 
then 4> is in Q3. 

Fig. 13. A part of the model-checking graph for the tccp Structure showed in Fig- 
ure^] and the Formula (J2J) 

In this example, a brief time interval is sufficient to build the complete graph 
without approximation. During the construction, we can annotate how many steps 
are needed to reach each node from a root note, which determines the current instant 
of time. If such instant of time is equal to the time limit, then the construction is 
concluded and the graph obtained since that moment is given as output of the 
algorithm. 

6.3 The searching algorithm 

It is well known that in order to prove that a property is satisfied, it is possible 
to prove that there is no path satisfying the negation of the property. Thus, for 
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verifying the formula </>, we construct the mo del- checking graph using the negation 
of (p and the model of the system. Then we look for a sequence such that starting 
from the initial node of the graph, it reaches a self-fulfilling strongly connected 
component (SCC). Let us now give the formal definitions of SCC and self-fulfilling 
SCC. 

Definition 13 {Strongly Connected Component) 

Given a graph G, we define a Strongly Connected Component (SCC) C as a max- 
imal subgraph of G such that every node in C is reachable from every other node 
in C along a directed path entirely contained within C . 

We say that C is nontrivial iff either it has more than one node or it contains 
one node with a self-loop. 

Then we can define a kind of strongly connected component. Actually, we will 
search for SCC satisfying the following properties in our model-checking algorithm. 

Definition 14 (Self-fulfilling SCC) 

Given a model-checking graph G, a self-fulfilling strongly connected component C 
is defined as a nontrivial strongly connected component in G which satisfies that 
for every node n in C and for every </>i U <p2 £ Qn, there exists a node m in C such 
that 4>2 £ Qm, and vice- versa. 

Now, let G be the model-checking graph generated following the steps described 
in Definitional We say that a sequence is an eventually sequence if it is an infinite 
path in G such that if there exists a node n in the path with (f>\ ti <p2 £ Qn, then 
there exists another node n' in the same path reachable from n along the path, 
such that 4>2 G Q n ' ■ 

Moreover, we can prove the following result, which says that if we find a self- 
fulfilling strongly connected component in the corresponding model-checking graph, 
then the property represented by the formula is satisfied by the system. Our problem 
will be to prove that such self-fulfilling SCC does not exist 3 . 

Theorem 3 

Let 4> be a formula, Z a tccp Structure and G(4>, Z) the corresponding model- 
checking graph. If there exists a path in G, which satisfies a formula <p, from an 
initial node to a self-fulfilling strongly connected component, then the model Z 
satisfies the formula (f>. 

Proof 

In order to prove this theorem we prove instead an equivalent result. We prove that 
if there exists an eventually sequence starting at an initial node n = (s, Q n ) such 
that the formula 4> is in Qn, then the model satisfies the formula <f>. This result is 
equivalent to the statement of the theorem since classical results ( Cl arke et al. 19991 
IManna and Pnueli 1995|> show that there exists an eventually sequence starting at 



3 Note that the result assumes that the construction of the graph has terminated before reaching 
the time limit provided by the user. 
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a node n = (s, Q„) if and only if there is a path in G{<p, Z) from n to a self-fulfilling 
SCC. We show that we can extend this result directly to our framework. 

Assume that we have an eventually sequence ni, n^, ■ ■ ■ where n\ = (s\, Qni), 
^2 = (^2, Sn 2 )i etc., starting with n\ = n. This eventually sequence starts at node 
n\ with <p G Q ni . By definition, n — s± , s%, . . . is a path in the model Z starting 
at s = si. We want to show that tt \= <p. We will prove a stronger result: for every 
formula ip in the closure of the formula <p (ip € CL(<f>)) and every i > 0,ir l \= ip 
iff ip G Q ni . We follow the classical notations and by tt 1 with i > we mean the 
suffix of the path tt starting from the i-th component: tt 1 = s^, Sj+i, .... The proof 
proceeds by structural induction over the sub-formulas. There will be six cases 
corresponding to the six considered operators of the logic. 

1. If ip is an atomic formula, then by Definition El of node rii, ip G Q m iff G C(si). 

2. if ip = 3x X then n l \= rp iff ip e C(s t ). 

3. If ip = then tt 1 \= ip iff tt 1 ^ \- By the inductive hypothesis, this holds iff 
X Qn, ■ By Definition ^1 this guarantees that ip € Q n , ■ 

4. If ip — xi A X2 then tt 1 |= i/> iff 7r* |= xi an d 7r* |= %2- By the inductive hypothesis, 
this holds iff xi £ Q n , and X2 £ Qn, - By Definition IT21 this is true iff ip G Q rai . 

5. if ip = o x then tt 1 \= ip iff 7r i+1 |= x- By the inductive hypothesis this holds iff 
X £ Qru+i- Since ((s,, Q„J, (s l+1 , Q„ !+1 )) G i?, the above holds iff o X £ tin, ■ 

6. if ip — xi U xi then by definition of an eventually sequence, there is some j > i such 
that X2 £ Qn r Since ip G Q n ,, the definition of a node implies that if X2 ^ Qn,, 
then xi G Q ni and oip G Q„,. In this case, the definition of the transition relation 
of G implies that ip G Q n , +1 - It follows that for every i < k < j, xi £ Qn k - By the 
inductive hypothesis, 7r J |= %2 and for every i < k < j, ix k |= xi- Hence tt 1 |= V- 
Since it 1 |= -0, then there exists j > i such that 7r J |= X2 and for all i < < j, ir k \= 
Xi- We take the minimum j. By the inductive hypothesis, %2 £ Snj and for every 
i < k <j, Xi £ 2n fc . Suppose V> ^ Qn,- Since xi £ Qn,, by DefinitionElo'0 ^ Qn,, 
which implies that o -<ip G Q„, . Now by definition of the transition relation of G, 
^ £ Qn, + i, and hence ip g" Q n , +1 . Continuing the argument inductively, we would 
eventually find ip G" Q„ k , which is a contradiction since X2 £ Qn^ ■ 

This proves that if we have an eventually sequence, the model satisfies the formula 
cp. Now we have the classical result that can be applied to the graph G. If we look 
for an eventually sequence, we can instead look for a path from the initial node 
n to a self-fulfilling SCC. There are algorithms that implement this search with a 
complexity linear in the size of the graph and exponential in the size of the formula. 
□ 

For the complexity of the algorithm, we can see that the method is quite inefficient 
since it is based on the tableau algorithm for LTL. Note that such algorithm is 
PSPACE-complete. The important thing is the fact that we are dealing with a 
programming language and we can handle constraints as a powerful way to represent 
systems. Moreover, we obtain a similar complexity to the classical approach since 
we use a logic which is able to handle tccp states. If we had used a classical logic, 
the complexity would have increased too much since it would be necessary to unfold 
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the states of the graph structures in order to consider all the possible valuations of 
variables which could satisfy a given constraint. 

7 Related Works 

We can find in the literature some related works which use the notion of constraint in 
order to solve the automatic verification problem for infinite-state systems. For ex- 
ample, in (De lzanno and Podelski 2f)T)T)) and l|Delzanno and Podelski 1999f . the au- 
thors introduce a methodology to translate concurrent systems into CLP programs 
and verify safety and liveness properties over such CLP programs. pCsparza and Melzer 19971 ) 
introduces a semi-decision algorithm that uses constraint programming in order to 
verify 1-safe Petri nets. Actually, while in ( Delz anno and Pod elski 2001 ; Delza nno and P odelski 1999 ) , 
constraints are used as an abstract representation of sets of system states, in 
( |Esparza and Melzer 1997| ) constraint programming is used for solving linear con- 
straints in the implementation of the algorithm. 

Constraints are useful for different purposes in software verification. They can be 
used in the checking algorithms as is done in (Es parza and Melzer 1997| l; they can 
be used to model the problem as Delzanno and Podelsky do; and they can also be 
integrated into the specification language, that is used to model the system, as we 
do. 

Regarding the systems that our approach is able to verify, we have seen that there 
are basically two main cases. The first case is when we are able to verify a system 
without the limitation on the time interval and the second case is when the time 
limit is reached. The first case corresponds to systems whose infinite nature comes 
from the fact that they use variables with an infinite domain. These systems are 
somehow similar to the ones that can be verified in l|Delzanno and Podelski 200 1|) 
for the properties of safety. In the second case we consider a large class of systems 
by using the time interval "approximation" . If we reach the limit of time imposed 
by the user (obviously, if the user provides a too short time interval, then some 
systems of the first class end up in this second category) then we must stop the 
construction of the graph G at that point. Thus, we can verify the system, but we 
must consider that it is an approximation of the original system. 

We note that there are some limitations in the tccp language since, for example, 
tccp is not able to model strong preemption while l|Delzanno and Podelski 200 1|) 
considers a language which can express this behavior. 

In the last years many different extensions over time have been presented in the 
literature. There are approaches which extend the cc paradigm with a notion of 
discrete time (tccp, tec (Sarasw at et al. 19 94) or ntcc (Valencia 2002)) and there is 
also an extension of the model with a notion of continuous notion of time (hybrid 
cc language ( |Gupta et al. 19981 )). Regarding ntcc, in ({Valencia 2003|l . the author 
presented some decidability results with respect to such language. Those results 
show that it is possible to apply model checking to ntcc but no algorithm nor 
complexity studies are presented. 

In IjFalaschi et al. 2 000a Falas chTet al. 2000b|) a method to construct a structure 
was presented as a first step towards the definition of a model-checking technique for 
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tec. Nevertheless, the structure defined in (Falasc hi et al. 20 00a Falasch fet al. 2000b|) 
to model tec programs was quite different from the structure defined in this work. 
Actually, in those works the modeling phase was defined in detail, giving only a 
brief description of the specification and the algorithmic phase. 

The tec structure had two kind of transitions: the timed transitions and the 
normal transitions. The set of states of the tec Structure were defined in a way as 
similar to the tccp Structure and could also be seen as sets of classical states for 
a Kripke Structure. However, also in this case, classical model checking algorithms 
cannot be applied to tec Structures. First of all because tec Structures have two 
kind of transitions, and secondly because the algorithms cannot handle the notion 
of state of the graph structure. Note that in the tccp approach we have only one 
kind of transition relation, thus we have only one problem: how to handle states. 

Another main difference between the tec and the tccp Structure lies in the in- 
terpretation of branching points. Branching points in tec Structures are due to the 
interleaving nature of the model. The normal transitions are instantaneous in the 
sense that they do not cause time steps. The branching points of the tccp Struc- 
ture due to conditional agents can be viewed as the branching points which could 
appear in the quiescence points of the tec Structure, i.e., when passing from one 
time instant to the following one. However, branching points of the tccp Structure 
due to Choice agents cannot be identified with anything in the tec Structure since 
the tec model is deterministic. 

In ((Falaschi et al. 2000al IFalaschi et al. 2000 bjl the idea was to transform the tec 
Structure into a Kripke structure, and hence the problem at this point was the huge 
number of states of the transformed structure. Essentially, we lost the possibility to 
take advantage of the compact representation that the notion of constraint provides. 

In the tccp approach it is not necessary to eliminate the kind of transitions (since 
there is only one type). More important is the fact that it is not necessary to 
unfold the possible values of variables in order to define a model-checking method. 
Actually, we use a temporal logic which is able to handle the tccp states. 

In l|Falaschi et al. 200 1(1 a first approach to the problem of verification of hec, 
which is similar to the problem for tccp was presented. The idea was the essentially 
similar, i.e., to define a structure able to represent the system behavior and to check 
properties over such structure. However, we just constructed the basic model which 
was transformed into a linear time automaton which could be given as input to a 
classical model checker such as HyTech. 

8 Conclusions 

In this work we have introduced a method that allows us to check properties from 
a temporal logic over reactive systems that are specified in the Temporal Con- 
current Constraint Language defined in ( Boe r et al. 2000(l . We have seen that we 
can adapt the classical method of LTL model checking to the logic presented in 
l(Boer et al. 2001|l and the tccp Structure defined in this paper which models the 
system behavior. We have described a method that can handle generic programs 
written in tccp, which means that we are not restricting ourselves to finite-state sys- 
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terns. By using tccp we can define infinite-state systems that can be handled by the 
logic which we have used. This epistemic logic allows us to work with constraints. 
Constraints can be seen as a compact representation of (possibly infinite) many 
states. In a previous work IjFalaschi et al. 2000al IFalaschi et al. 2000b|l the authors 
have defined a structure which can help to verify a different class of reactive systems 
specified using another language from the ccp framework. (Falas chi et al. 2 000a 
IFalaschi et al. 2000bj) defined a kind of structure that may seem similar to the 
tccp Structure but it is essentially different: the nodes and the arcs of the graph 
structure are interpreted in a different manner. Furthermore (jFalaschi et al. 2 000a 
IFalaschi et al. 2000b|) do not define any model-checking algorithm, rather they only 
concentrate on the modeling phase. We have proved that our verification method 
is correct and have illustrated how it works. 

We plan to make a prototypical implementation of our system and test it on a 
set of benchmarks, such as protocol verification and verification of properties of 
concurrent systems like safety or liveness properties. 

We also want to study how our method can be optimized in order to improve its 
efficiency. It is well known that this kind of classical model-checking algorithm is 
exponential in the size of the formula. Hence as future work we want to extend to 
our framework some efficient mo del- checking algorithms, such as symbolic model 
checking, for avoiding a complete construction of the graph. 
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